1 |
On 17.05.2012 20:25, Radek Madej wrote: |
2 |
> Hi, |
3 |
> |
4 |
> On Wednesday 16 May 2012 17:29:44 Anthony G. Basile wrote: |
5 |
>> On 05/16/2012 12:12 PM, PaX Team wrote: |
6 |
>>> On 16 May 2012 at 16:39, Hinnerk van Bruinehsen wrote: |
7 |
>>> |
8 |
>>>> at the moment the thunderbird-ebuild in the tree does a "pax mark m" |
9 |
>>>> on the binary. |
10 |
>>>> At least for me thunderbird works fine if I just disable jit. |
11 |
>>> |
12 |
>>> there're a few packages that define a local 'jit' USE flag, i'd say |
13 |
>>> thunderbird/firefox/etc should use it as well to disable JIT related |
14 |
>>> options and avoid the pax-mark (not sure why pax-kernel came to mean |
15 |
>>> this, that's for kernel modules, not userland, and this JIT stuff is |
16 |
>>> useful for more kernels than just PaX based ones). |
17 |
>>> |
18 |
>> |
19 |
>> This flag was introduced to distinguish the above from USE="hardened" |
20 |
>> which only refers to the toolchain, and the goodies it brings along. |
21 |
>> |
22 |
>> Having said that, its clearly better to disable JIT and not pax mark |
23 |
>> then vice versa. We have jit disabled by default in the hardened profiles. |
24 |
>> |
25 |
> |
26 |
> ...so in the above example it's better to define the 'jit' flag in the ebuild |
27 |
> for thunderbird rather than using 'pax_kernel'? Or should '-jit' and |
28 |
> 'pax_kernel' result in disabling JIT in the ebuilds? |
29 |
> |
30 |
> I do exactly same stuff (if 'pax_kernel': disable_jit() :) ) for firefox on my |
31 |
> local overlay which allows me to run latest Firefox with mprotect on and no |
32 |
> paxmarkings (I don't care about plugins on FF). Judging by what you've said, |
33 |
> it'd be better to simply use 'jit' flag for it as it's disabled on the hardened |
34 |
> profiles anyway... |
35 |
> |
36 |
> In theory we could then have the jit flag on both, Thunderbird and Firefox, |
37 |
> which would allow the hardened users to benefit from mprotect, however any use |
38 |
> of flash/java on FF would result in a crash anyway...but it's nice to have the |
39 |
> choice me thinks... :) |
40 |
> |
41 |
> Cheers, |
42 |
> Radek |
43 |
> |
44 |
> |
45 |
|
46 |
If I understand it correctly, it should be the following way: |
47 |
|
48 |
user pax_kernel to disable jit as the default and use jit to override |
49 |
pax_kernel so people who would like to use for example flash could |
50 |
enable it, if they want. |
51 |
|
52 |
This way hardened would be default which would be the behaviour I would |
53 |
expect for a hardened profile. |
54 |
|
55 |
The most important question for me is: should I file a bug for that? |
56 |
|
57 |
With kind regards, |
58 |
|
59 |
Hinnerk |